Data Use and Access Act 2025: what changed for businesses

The Data (Use and Access) Act 2025 (DUAA) is the most significant change to UK data protection law since Brexit. It received Royal Assent on 19 June 2025, and the majority of its data protection provisions came into force on 5 February 2026.

If you run a UK business that collects personal data, uses cookies, sends marketing emails, or makes automated decisions about customers or employees, this Act changes your obligations. Some changes reduce administrative burden; others significantly increase the penalties you face for getting things wrong.

Why this matters to your business

The DUAA is not a wholesale replacement of UK GDPR or the Data Protection Act 2018. It is a targeted reform that amends both, along with the Privacy and Electronic Communications Regulations 2003 (PECR). The Act reflects the government's post-Brexit objective of maintaining high data protection standards whilst reducing compliance costs for businesses.

Three things make this Act particularly important for business owners:

• It is already in force. Most provisions commenced on 5 February 2026. You should already be operating under the new rules.
• It changes everyday obligations. Cookie banners, privacy officers, legitimate interests assessments, and automated decisions are all affected. These are not niche issues; they touch every business with a website or a payroll system.
• The penalties for PECR breaches have increased dramatically. The maximum fine for breaching electronic marketing and cookie rules has risen from 500,000 pounds to 17.5 million pounds or 4% of global turnover. The ICO now has the same enforcement teeth for nuisance marketing as it does for data breaches.

Recognised legitimate interests: a new lawful basis

The DUAA adds a seventh lawful basis for processing personal data under a new Article 6(1)(ea): recognised legitimate interests.

This matters because the existing legitimate interests basis (Article 6(1)(f)) requires a Legitimate Interest Assessment (LIA) - a documented balancing test that many businesses find time-consuming and uncertain. The new basis removes the balancing test entirely for specific pre-approved purposes listed in a new Annex 1 to the UK GDPR.

What this means in practice

The recognised purposes are currently narrow - focused on national security, public security, emergencies, and crime prevention. For most commercial processing (marketing, analytics, product improvement), you will continue using the standard legitimate interests basis with a balancing test. However, the Secretary of State has the power to add further purposes by regulation, so this list may expand over time.

If your business processes data for safeguarding, fraud prevention, or emergency response, review whether the new basis applies. It could simplify your compliance documentation significantly.

Senior Responsible Individual: a new compliance role

The DUAA introduces the Senior Responsible Individual (SRI) as an alternative to the Data Protection Officer (DPO). The DPO model, inherited from EU GDPR, requires the appointed person to operate independently and avoid conflicts of interest. For a 20-person company where the office manager handles data protection alongside other duties, these requirements can be burdensome.

The SRI takes a different approach: instead of independence, it emphasises accountability at a senior level. The SRI must be a member of the organisation's senior management team, directly accountable for data protection compliance.

Choosing between SRI and DPO

Public authorities must still appoint a DPO. For private sector organisations, the choice depends on your processing activities. If you conduct large-scale systematic monitoring of individuals or process special category data at scale, the ICO may still expect a DPO. For most SMEs with standard customer and employee data processing, the SRI offers a more practical compliance model.

If you already have a DPO, you are not required to change. The DPO role continues to be recognised. The SRI is an additional option, not a replacement mandate.

Automated decision-making: broader scope for businesses

The previous Article 22 of UK GDPR restricted solely automated decisions that produce legal or similarly significant effects on individuals - decisions such as automated credit scoring, algorithmic recruitment screening, or insurance pricing. These were only permitted with explicit consent, contract necessity, or specific legal authorisation.

The DUAA relaxes this restriction. From 5 February 2026, significant automated decisions are permitted on any lawful basis, provided appropriate safeguards are maintained.

The trade-off

This change gives businesses more flexibility to deploy AI and algorithmic decision-making in areas like customer service, fraud detection, and HR processes. However, the safeguards remain significant. Individuals retain the right to obtain human intervention, express their views, and contest automated decisions. If you are implementing or expanding automated decision-making systems, you need robust processes for handling these requests.

The relaxation does not apply to automated decisions based on special category data (health, race, religion, political opinions). These remain restricted to explicit consent or substantial public interest grounds.

Cookie consent: new exemptions for analytics

Since 2011, PECR has required websites to obtain prior consent before placing non-essential cookies. The DUAA introduces exemptions for certain categories, most notably first-party analytics cookies. If your analytics cookies meet specific conditions, you may no longer need prior consent to set them.

What stays the same

Advertising cookies, third-party tracking, cross-site profiling, and social media pixels still require prior consent. The exemption is deliberately narrow: it covers aggregate statistical analysis of your own website, not individual-level tracking or targeting.

Even for exempt cookies, you must still inform users about what cookies you use and provide an easy way to opt out. This means your cookie policy and opt-out mechanism remain important, even if your consent banner becomes simpler.

PECR penalties: a 35-fold increase

Perhaps the most immediately consequential change for businesses is the alignment of PECR penalties with UK GDPR levels. Before the DUAA, the maximum fine the ICO could impose for a PECR breach (nuisance calls, spam emails, cookie non-compliance) was 500,000 pounds. This was already a significant sum for a small business, but for larger organisations it was often seen as a cost of doing business.

Why this matters strategically

The penalty increase signals a fundamental shift in how PECR enforcement should be viewed. Electronic marketing compliance is no longer a secondary concern with modest financial risk. It now carries the same potential consequences as a major data breach.

If your business sends marketing emails, makes marketing calls, or uses cookies, the financial risk of non-compliance has increased by a factor of 35. This should be reflected in your compliance priorities, staff training, and budget allocation for data protection.

What your business should do now

The DUAA is already in force. These are the practical steps to bring your business into compliance.

How this connects to existing obligations

The DUAA does not replace UK GDPR, the Data Protection Act 2018, or PECR. It amends all three. Your existing obligations under those laws continue. If you are already compliant with UK GDPR and PECR, the DUAA changes are incremental rather than transformational.

The Act also introduces provisions beyond data protection, including Smart Data schemes (mandatory data portability across sectors) and a digital verification trust framework. These are being implemented separately and will affect specific sectors as regulations are made.